IRC log of crypto on 2013-03-04

Timestamps are in UTC.

19:40:55 [RRSAgent]
RRSAgent has joined #crypto
19:40:55 [RRSAgent]
logging to
19:41:03 [wseltzer]
me trackbot, prepare teleconf
19:41:09 [trackbot]
RRSAgent, make logs public
19:41:11 [trackbot]
Zakim, this will be SEC_WebCryp
19:41:11 [Zakim]
ok, trackbot; I see SEC_WebCryp()3:00PM scheduled to start in 19 minutes
19:41:12 [trackbot]
Meeting: Web Cryptography Working Group Teleconference
19:41:12 [trackbot]
Date: 04 March 2013
19:41:43 [wseltzer]
wseltzer has changed the topic to: WebCrypto WG March 4, 20:00 UTC
19:49:07 [ddahl_]
ddahl_ has joined #crypto
19:52:44 [emily]
emily has joined #crypto
19:54:48 [virginie]
virginie has joined #crypto
19:58:03 [Zakim]
SEC_WebCryp()3:00PM has now started
19:58:12 [Zakim]
+ +
19:58:37 [Zakim]
19:59:03 [mountie]
zakim aaaa is mountie
19:59:19 [wseltzer]
zakim, aaaa is mountie
19:59:19 [Zakim]
+mountie; got it
19:59:24 [Zakim]
+ +1.512.257.aabb
19:59:41 [wseltzer]
zakim, aabb is virginie
19:59:41 [Zakim]
+virginie; got it
20:00:07 [virginie]
20:00:11 [virginie]
20:00:14 [markw]
markw has joined #crypto
20:00:24 [hhalpin]
hhalpin has joined #crypto
20:00:31 [virginie]
agenda+ welcome
20:00:45 [wseltzer]
[agenda ]
20:00:52 [virginie]
agenda+ Web Crypto API
20:00:55 [wseltzer]
wseltzer has changed the topic to: WebCrypto WG March 4, 20:00 UTC agenda:
20:01:09 [virginie]
agenda+ High Level API (if editors available)
20:01:14 [Zakim]
+ +1.408.540.aacc
20:01:21 [rsleevi]
rsleevi has joined #crypto
20:01:27 [wseltzer]
zakim, aacc is markw
20:01:27 [Zakim]
+markw; got it
20:01:34 [markw]
Zakim, aacc is markw
20:01:34 [Zakim]
sorry, markw, I do not recognize a party named 'aacc'
20:01:36 [virginie]
agenda+ secundary features
20:01:55 [virginie]
agenda+ group life
20:01:56 [Zakim]
20:02:00 [virginie]
agenda+ AOB
20:02:03 [rsleevi]
Zakim, ??P7 is Google
20:02:03 [Zakim]
+Google; got it
20:02:11 [Zakim]
+ +1.707.799.aadd
20:02:12 [rsleevi]
Zakim, Google has rsleevi
20:02:12 [Zakim]
+rsleevi; got it
20:02:22 [emily]
zakim, aadd is emily
20:02:22 [Zakim]
+emily; got it
20:02:36 [virginie]
Zakim, who is on the phone ?
20:02:36 [Zakim]
On the phone I see mountie, Wendy, virginie, markw, Google, emily
20:02:37 [Zakim]
Google has rsleevi
20:02:47 [virginie]
20:03:01 [Zakim]
20:03:16 [rbarnes]
rbarnes has joined #crypto
20:03:45 [Zakim]
+ +1.703.284.aaee
20:03:54 [johnsim]
johnsim has joined #crypto
20:04:03 [rbarnes]
zakim, i am aaee
20:04:03 [Zakim]
+rbarnes; got it
20:04:38 [virginie]
Zakim, who is on the phone ?
20:04:38 [Zakim]
On the phone I see mountie, Wendy, virginie, markw, Google, emily, ddahl, rbarnes
20:04:41 [Zakim]
Google has rsleevi
20:04:51 [Zakim]
20:05:01 [Zakim]
+ +1.512.257.aaff
20:05:15 [virginie]
20:05:21 [wseltzer]
zakim, Microsoft has John_Simmons
20:05:21 [Zakim]
+John_Simmons; got it
20:05:27 [wseltzer]
zakim, aaff is karen
20:05:28 [Zakim]
+karen; got it
20:06:26 [hhalpin]
Zakim, what's the code?
20:06:26 [Zakim]
the conference code is 27978 (tel:+1.617.761.6200, hhalpin
20:06:49 [wseltzer]
zakim, pick a scribe
20:06:49 [Zakim]
Not knowing who is chairing or who scribed recently, I propose John_Simmons
20:06:54 [Zakim]
20:07:02 [karen_]
karen_ has joined #crypto
20:07:03 [hhalpin]
Zakim, IPcaller is hhalpin
20:07:03 [Zakim]
+hhalpin; got it
20:08:08 [wseltzer]
Topic: Welcome
20:08:30 [wseltzer]
Chair: Virginie
20:08:35 [karen1]
karen1 has joined #crypto
20:08:40 [Zakim]
20:09:04 [johnsim]
topic: minutes of previous call
20:09:07 [virginie]
20:09:15 [wseltzer]
scribenick: johnsim
20:09:31 [johnsim]
no objection - minutes are approved
20:09:52 [johnsim]
topic: web crypto api
20:10:15 [johnsim]
call for action on whether we need to get IANA registration
20:10:38 [hhalpin]
Its not a requirement, but its a discussion that we need to take seriously
20:10:50 [hhalpin]
we would *not* do it without a WG decision.
20:11:14 [johnsim]
any comments?
20:11:41 [hhalpin]
20:11:43 [johnsim]
Ryan: strong objections. some of the fundamental objections is chartered purpose - web browsers versus generic API
20:11:48 [rbarnes]
20:12:34 [wseltzer]
ack hh
20:13:03 [johnsim]
@@: algorithm agility - other working groups have had similar problems - face to face or a separate phone call for this issue
20:13:13 [wseltzer]
20:13:17 [johnsim]
20:13:20 [rsleevi]
Registries: Good for protocols, bad for APIs
20:13:25 [wseltzer]
ack rbarnes
20:13:26 [rbarnes]
20:14:16 [johnsim]
Virginie: would like to understand how this should work - perhaps dedicated call to get common terminology would be fruitful
20:14:24 [hhalpin]
I think it depends. For example, one way to get around is to use URIs for algorithms, which is what XML-DSIG does.
20:14:34 [johnsim]
Virginie: joint working group - ? or better face-to-face?
20:15:09 [johnsim]
hhalpin: others have had this problem - a discussion between me and ryan - different positions - be careful before closing issue down
20:15:17 [rbarnes]
we need to clarify (1) what properties we need to get out of the process for managing algorithms, (2) what the concrete proposed processes are for adding algorithms are, and (3) how they perform relative to the requirements
20:15:20 [hhalpin]
Given that lots of other WGs and W3C staff are at Paypal, that makes sense.
20:15:26 [johnsim]
virginie: set up call for appropriate people?
20:15:57 [johnsim]
virginie: one call before f2f meeting
20:16:11 [johnsim]
virginie: harry - ACTION - one call dedicated to that
20:16:29 [johnsim]
Virginie: comments?
20:16:40 [hhalpin]
Like I said, I'm OK for not having a registry, but Thomas Roessler W3C brought that up when there was an internal review and still wants to see a wider discussion.
20:16:46 [wseltzer]
ACTION hhalpin to schedule call about registry, due 4/15
20:16:47 [trackbot]
Created ACTION-76 - Schedule call about registry, due 4/15 [on Harry Halpin - due 2013-03-11].
20:16:50 [johnsim]
Virginie: next idea of this call - different proposals - harry mentioned we did not close previous action
20:17:53 [hhalpin]
20:18:29 [johnsim]
hhalpin: issue 18 we should go for consensus now
20:18:50 [virginie]
PROPOSAL : close ISSUE-18 on the basis that the WG is not going to adress this feature
20:19:02 [wseltzer]
20:19:02 [trackbot]
ISSUE-18 -- Should it be possible to perform CryptoOperations as a 'streaming' operation with URI semantics? -- closed
20:19:02 [trackbot]
20:19:05 [hhalpin]
PROPOSAL: Close ISSUE-18 - Should it be possible to perform CryptoOperations as a 'streaming' operation with URI semantics?
20:19:40 [rbarnes]
20:19:44 [virginie]
20:19:48 [hhalpin]
20:19:50 [mountie]
20:19:52 [ddahl_]
20:19:54 [wseltzer]
20:19:55 [rsleevi]
20:20:27 [hhalpin]
There are no proposals, thus it should be closed.
20:20:28 [hhalpin]
CLOSED: ISSUE-18 - Should it be possible to perform CryptoOperations as a 'streaming' operation with URI semantics?
20:20:50 [johnsim]
Virginie: next one related to ISSUE 40
20:21:03 [wseltzer]
20:21:03 [trackbot]
ISSUE-40 -- How should we define key discovery, noting asynchronicity -- open
20:21:03 [trackbot]
20:21:23 [johnsim]
Virginie: Wide issue and key discovery API was solving it.
20:21:51 [johnsim]
Watson: thought this should be closed.
20:22:06 [hhalpin]
However, have we thought through the privacy and security implications enough?
20:22:07 [virginie]
PROPOSAL : Close ISSUE-40 -- How should we define key discovery, noting asynchronicity
20:22:19 [markw]
20:22:21 [rsleevi]
20:22:22 [virginie]
20:22:24 [ddahl_]
20:22:24 [hhalpin]
I have brought those up, there was concerns from the cryptographic and security community here.
20:22:25 [hhalpin]
20:22:29 [rbarnes]
20:22:30 [johnsim]
20:22:34 [wseltzer]
20:22:34 [mountie]
20:22:55 [hhalpin]
Actually, there's not consensus :)
20:22:58 [johnsim]
CLOSED: Issue 40
20:23:49 [rsleevi]
20:24:00 [johnsim]
Review the crypto API and there is concerns about security boundaries, import/export, as long as we can discuss new and different ways to address these concerns
20:24:32 [johnsim]
hhalpin: happy to close the issue with the caveat that we get a proper review
20:24:49 [johnsim]
hhalpin: before going to last call
20:24:54 [virginie]
20:25:29 [johnsim]
Ryan: i am going to suggest that we close these issues. we should not be keeping broad issues open.
20:25:45 [hhalpin]
i.e. there were concerns re security boundaries and the possibility of "super-keys"
20:26:48 [johnsim]
Virginie: issue 40 is broad, and does not mention the privacy concern you are highlighting, and open an action about the review related to privacy aspects.
20:27:14 [rsleevi]
strongly disagree re: UX
20:27:36 [johnsim]
hhalpin: happy to close but object to closing issue 9 without proper review
20:28:12 [johnsim]
Virginie: could you write down so we have an action as you have described - also problem of user action - is that linked?
20:28:38 [johnsim]
Hhalpin: user action is one way of dealing with it. Issue 9 is appropriate to hold the problem
20:29:01 [johnsim]
Virginie: process point. do we need to go again to the voting? or do we say working group after discussion agreed
20:29:30 [hhalpin]
So, thus I say: I change my vote to +1 given that we keep ISSUE-9 open.
20:29:32 [hhalpin]
And thus,
20:29:44 [hhalpin]
20:30:37 [wseltzer]
20:30:37 [trackbot]
ISSUE-37 -- Method naming -- open
20:30:37 [trackbot]
20:30:38 [johnsim]
Virginie: next issue - that could be discussed - proposed to be closed - Issue 37
20:30:43 [virginie]
PROPOSAL: Close ISSUE-37 - Method Naming
20:31:17 [rsleevi]
20:31:18 [johnsim]
hhalpin: relates to JOSE working group
20:31:23 [rbarnes]
20:31:33 [virginie]
ack virginie
20:31:48 [rbarnes]
yes, this is not jose
20:31:50 [rbarnes]
that's later :)
20:31:50 [johnsim]
ryan: this issue has nothing to do with JOSE, just API naming
20:31:53 [rbarnes]
20:31:57 [hhalpin]
Ah, that's fine.
20:32:10 [johnsim]
ryan: resolved since our draft 2 - nothing to do with JOSE
20:32:44 [rsleevi]
20:32:45 [hhalpin]
PROPOSAL: Close ISSUE-37 - Method Naming
20:32:47 [hhalpin]
20:32:48 [rbarnes]
20:32:48 [ddahl_]
20:32:48 [virginie]
20:32:50 [mountie]
20:32:52 [wseltzer]
20:32:52 [markw]
20:32:56 [karen1]
20:33:01 [hhalpin]
No text changes required, current editors draft is sufficient.
20:33:05 [johnsim]
CLOSED: Issue 37
20:33:57 [rsleevi]
20:33:57 [trackbot]
ISSUE-33 -- Clarify text in section 5.1 with respect to how key tainting is handled with multi-origin scenario -- open
20:33:57 [trackbot]
20:34:07 [Zakim]
20:34:53 [rbarnes]
rbarnes has left #crypto
20:34:54 [virginie]
PROPOSAL: Close ISSUE-33 - Clarify text in section 5.1 with respect to how key tainting is handled with multi-origin scenario
20:35:06 [rbarnes]
rbarnes has joined #crypto
20:35:07 [rsleevi]
20:35:07 [markw]
20:35:08 [virginie]
20:35:09 [rbarnes]
20:35:11 [mountie]
20:35:11 [ddahl_]
20:35:13 [hhalpin]
Can someone specify what we are doing to close the issue? It seems to be informative text
20:35:21 [rbarnes]
nothing, afaict
20:35:30 [nvdbleek2]
nvdbleek2 has joined #crypto
20:35:32 [rsleevi]
We're acknowledging that the current text is sufficient
20:36:12 [rbarnes]
20:36:17 [rbarnes]
20:36:54 [nvdbleek2]
zakim, code?
20:36:54 [Zakim]
the conference code is 27978 (tel:+1.617.761.6200, nvdbleek2
20:36:56 [hhalpin]
The working group thinks key tainting should be allowed and no informative text is necessary to warn people or WebApp developers around key tainting.
20:37:02 [hhalpin]
Does that capture the resolution?
20:37:16 [hhalpin]
20:37:21 [Zakim]
20:37:28 [nvdbleek2]
zakim, I am P8
20:37:28 [Zakim]
sorry, nvdbleek2, I do not see a party named 'P8'
20:37:32 [johnsim]
CLOSED: Issue 33
20:37:41 [rsleevi]
20:37:41 [trackbot]
ISSUE-31 -- Problems with keys attribute of the Crypto interface -- open
20:37:41 [trackbot]
20:37:58 [johnsim]
Virginie: next item - ISSUE-32
20:39:24 [johnsim]
key discovery API - concerns raised with original draft 1, no longer an issue in key discovery draft
20:39:43 [virginie]
PROPOSAL: CLOSE ISSUE-31 -- Problems with keys attribute of the Crypto interface
20:39:45 [rbarnes]
20:39:48 [rsleevi]
20:39:50 [virginie]
20:39:51 [mountie]
20:39:59 [markw]
20:40:03 [hhalpin]
20:40:18 [virginie]
ack rsleevi
20:40:27 [johnsim]
hhalpin: addressed and closed or moved to the key discovery draft?
20:40:31 [hhalpin]
i.e. moved and closed
20:40:33 [hhalpin]
or just moved
20:40:39 [hhalpin]
The issue tracker is for multiple documents
20:40:49 [rsleevi]
moved and closed (as the organization that raised it, I can confirm our concerns have long since been addressed)
20:40:50 [hhalpin]
So, its not relevant for the key discovery API.
20:41:24 [hhalpin]
20:41:37 [johnsim]
CLOSED: Issue-31
20:41:56 [rsleevi]
20:41:56 [trackbot]
ISSUE-29 -- Handling of block encryption modes and padding -- open
20:41:56 [trackbot]
20:42:00 [johnsim]
Virginie: next issue is last one, so to have chance to discuss high level api
20:43:09 [johnsim]
decided to continue to treat them as independent algorithms.
20:43:13 [virginie]
PROPOSAL : Close ISSUE-29 -- Handling of block encryption modes and padding
20:43:18 [rsleevi]
20:43:21 [mountie]
20:43:23 [virginie]
20:43:31 [markw]
20:43:33 [ddahl_]
20:43:37 [karen1]
20:43:39 [wseltzer]
20:43:39 [rbarnes]
+1, if you're ok with the combinatorial explosion :)
20:43:59 [hhalpin]
20:44:12 [johnsim]
CLOSED: Issue-29
20:44:43 [johnsim]
Virginie: pay attention to the high level API
20:44:59 [johnsim]
TOPIC: High level API
20:47:08 [johnsim]
David: i do have a draft, basically, something easier and safer to use for web app developers - still think this is not a counter proposal to low level API but an additional API
20:47:57 [johnsim]
David: don't want to put forward a proposal that another browser provider would not implement
20:48:27 [hhalpin]
I think the W3C would like a high-level API, as that was in our charter as well, under "Mission".
20:49:24 [virginie]
20:49:37 [rsleevi]
20:49:41 [hhalpin]
ack hhalpin
20:50:33 [johnsim]
hhalpin: concern some in w3c - can we get a reasonable high level API across different browsers?
20:50:43 [hhalpin]
and can we do a timeframe that makes sense?
20:51:15 [johnsim]
virginie: spoke with different developers - for the crypto-educated people, sounds usable, but those unfamiliar - it is a problem - so i support a high level API
20:51:47 [johnsim]
Ryan: i have been meeting with crypto community on this issue
20:52:13 [johnsim]
Ryan: i strongly believe any high level API will have to be done by serious cryptographers - and we have none in this working group
20:52:39 [rbarnes]
20:52:51 [virginie]
ack virginie
20:53:03 [johnsim]
Ryan: if we embark on a high level API, it requires very concrete use cases and threat model
20:53:06 [virginie]
ack rsleevi
20:53:07 [mountie]
I agree with Ryan's opinion
20:53:30 [johnsim]
Ryan: Same level as low level API
20:53:42 [virginie]
20:54:44 [johnsim]
rbarnes: regardless high or low level, it will be handled by unskilled developers
20:55:22 [rsleevi]
That's like saying WebGL will be used by people who don't understand 3D. Sure, they're not the target of the API. It's a false premise to think you can deliver secure code without having to think about security.
20:55:43 [virginie]
20:55:48 [rbarnes]
20:55:52 [rbarnes]
ack rbarnes
20:56:10 [johnsim]
virginie: i hear that we don't have the right people in the working group, so we should bring them in
20:56:24 [johnsim]
virginie: second, we will need appropriate use cases for designing the api
20:56:43 [rbarnes]
rsleevi: the difference is (1) when your webgl code doesn't work, it's obvious, and (2) when your webgl code is wrong, you don't expose sensitive information
20:57:01 [johnsim]
virginie: harry - you have been offering to try to organize some calls with people designing other high level api - still something you can do?
20:59:08 [johnsim]
Ryan: i think you have the steps wrong - first step is use cases and then getting right people on board for security
20:59:55 [hhalpin]
My concerns are even the people who want the use-cases aren't here.
21:00:18 [hhalpin]
But they may nonetheless be very valid use-cases for a high-level API by ordinary web-developers
21:00:46 [johnsim]
Virginie: end of conference call - no decision from this discussion - but clear direction - make use cases clear and get right people to join the working group
21:00:50 [virginie]
21:01:23 [wseltzer]
21:01:51 [johnsim]
wseltzer: administrative manner - European and US clocks go out of sync for next three weeks
21:01:59 [rbarnes]
21:02:03 [Zakim]
21:02:04 [wseltzer]
ack ws
21:03:04 [rbarnes]
jose on wednesday:
21:03:17 [Zakim]
21:03:35 [Zakim]
21:03:36 [Zakim]
21:03:36 [Zakim]
21:03:39 [Zakim]
21:03:41 [Zakim]
21:03:42 [Zakim]
21:03:44 [Zakim]
21:03:44 [virginie]
and thanks to simon fro scribing :)
21:03:46 [Zakim]
21:03:53 [Zakim]
21:03:55 [wseltzer]
trackbot, end teleconf
21:03:55 [trackbot]
Zakim, list attendees
21:03:55 [Zakim]
As of this point the attendees have been +, Wendy, mountie, +1.512.257.aabb, virginie, +1.408.540.aacc, markw, +1.707.799.aadd, rsleevi, emily, ddahl,
21:03:58 [Zakim]
... +1.703.284.aaee, rbarnes, +1.512.257.aaff, John_Simmons, karen, hhalpin, Arun_Ranganathan
21:04:03 [trackbot]
RRSAgent, please draft minutes
21:04:03 [RRSAgent]
I have made the request to generate trackbot
21:04:04 [trackbot]
RRSAgent, bye
21:04:04 [RRSAgent]
I see no action items